Security | BuildJet

How does BuildJet for GitHub Actions work?

BuildJet offers managed high-performance runners for your GitHub Actions jobs. Instead of using GitHub Actions hardware, you run your GitHub Actions CI jobs on our hardware, while retaining all things GitHub Actions.

How do I know I can trust BuildJet with my data?

BuildJet does a couple of things to protect your data: your data lives on our secure servers, all communication is securely encrypted, we have tight control over who can access the servers, access is heavily audited and logged, and we never save your code on our servers after a jobs has finished.

Where is my data stored?

Every job runs in an isolated secure virtual machine. After every job run, we delete the entire virtual machine with its content. This includes everything from code to secrets. Completely wiped. If you need anything stored after a job has finished, you need to upload it to a 3rd party server.

Your account data (e.g., GitHub username) and webhook metadata(e.g., job name, duration) is the only is the only thing we store longer than a job run. The server hosting the database is fully encrypted. If you request to leave the service, that data will be wiped and deleted.

How do I verify that BuildJet does not store my secrets?

BuildJet does not store anything related to a job run after it’s finished. It runs in an isolated secure virtual machine. The creation of virtual machines is coordinated by GitHub's official runner software(actions/runner). The communication between BuildJet and GitHub is fully encrypted.

How do I have guarantees that BuildJet isn’t going to do anything it shouldn’t?

We believe people who use our service expect us to store their data securely, respect their business secrets and have their data security a primary priority. We pledge to keep your code secret and not accessed by us. To be clear, your code will never be sold. We understand that we must gain your trust every day, and that this will not be simple.

How are you keeping my data separate from other users? Will “neighbors” on your system be able to observe what other runners are doing? How do you prevent those attacks?

BuildJet uses virtual machines, which are regarded by the industry as secure for isolation. We specifically use KVM to create and destroy virtual machines. KVM is built into the Linux kernel and used by millions of developers every day to create and delete virtual machines. Because of our rules around authentication, encryption, and other security measures, people won't be able to see what other runners are doing or storing.

What logs do you keep and for how long?

The only logs we keep are metadata on who started a CI job, when it started, for how long it lasted and what hardware they chose. We keep this to understand how our business is doing over time.

Do you store code and secrets after the run is finished?

Absolutely not.

How can I report a security vulnerability?

For details on how to report security issues, please refer to our security.txt